versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2025-12-06 16:38:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(federation): 🐛 Remove usage of Origin header during federation

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-07-26 19:26:35 +02:00
parent 558ae72c82
commit eb96544e68
No known key found for this signature in database
1 changed files with 20 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
server/api/users/:uuid/inbox/index.ts
View file

@ -45,7 +45,6 @@ export const schemas = {
signature: z.string(), signature: z.string(),
date: z.string(), date: z.string(),
authorization: z.string().optional(), authorization: z.string().optional(),
origin: z.string(),
}), }),
body: z.any(), body: z.any(),
}; };
@ -59,21 +58,10 @@ export default (app: Hono) =>
zValidator("json", schemas.body, handleZodError), zValidator("json", schemas.body, handleZodError),
async (context) => { async (context) => {
const { uuid } = context.req.valid("param"); const { uuid } = context.req.valid("param");
const { signature, date, authorization, origin } = const { signature, date, authorization } =
context.req.valid("header"); context.req.valid("header");
const logger = getLogger(["federation", "inbox"]); const logger = getLogger(["federation", "inbox"]);
// Check if Origin is defederated
if (
config.federation.blocked.find(
(blocked) =>
blocked.includes(origin) || origin.includes(blocked),
)
) {
// Pretend to accept request
return response(null, 201);
}
const body: Entity = await context.req.valid("json"); const body: Entity = await context.req.valid("json");
if (config.debug.federation) { if (config.debug.federation) {
@ -139,15 +127,27 @@ export default (app: Hono) =>
} }
} }
// Verify request signature
if (checkSignature) {
const keyId = signature const keyId = signature
.split("keyId=")[1] .split("keyId=")[1]
.split(",")[0] .split(",")[0]
.replace(/"/g, ""); .replace(/"/g, "");
const sender = await User.resolve(keyId); const sender = await User.resolve(keyId);
const origin = new URL(keyId).origin;
// Check if Origin is defederated
if (
config.federation.blocked.find(
(blocked) =>
blocked.includes(origin) || origin.includes(blocked),
)
) {
// Pretend to accept request
return response(null, 201);
}
// Verify request signature
if (checkSignature) {
if (!sender) { if (!sender) {
return errorResponse("Could not resolve keyId", 400); return errorResponse("Could not resolve keyId", 400);
} }